ByBen Weitzenkorn, Tech News DailyMay 13, 2013

An Australian computer-security expert has created an application that lets anyone see the locations of the last three Wi-Fi access points used by an Apple iPhone or iPad — information that could be used to deduce where the iOS device user lives.

Melbourne-based researcher Hubert Seiwert's iSniff GPS, now freely available for anyone to download and use, combines three different Apple iOS features.

None of the features pose any threat to privacy on their own, but when combined could tell strangers a lot about you.

Three's a crowdsource

The first feature Seiwert used is well-known. Apple iOS devices that have both Wi-Fi and GPS turned on send the names and locations of all Wi-Fi access points they encounter back to the Apple mothership. The devices don't need to be connected to a specific access point for this to happen.

This feature helps Apple's mapping services. Google does the same thing with Android devices. Users of both kinds of devices can turn the data-sharing off.

The second feature is unique to iOS devices. Last year, security researcher Mark Wuergler of Miami-based Immunity Inc. found that iOS devices, when trying to connect to a Wi-Fi access point, will broadcast the unique network-interface IDs of the previous three Wi-Fi access points to which the devices actually did connect.

These unique network-interface IDs, called MAC addresses, can be physically located when run against online location services that keep databases of such things.

(MAC addresses differ from Wi-Fi access-point names such as "John's Wireless Router." MAC addresses are fixed, unique and used by machines to communicate with each other; Wi-Fi location names, also called SSIDs, can change at any time and exist for human convenience.)

Wuergler told the tech blog Ars Technica in March 2012 that he'd combined the Apple MAC-address feature with Google Location Services for Android to create a proof-of-concept application called "Stalker."

"I'll know where you work, I'll know where you live and know where you frequent," Wuergler said at the time. "If the last access point you connected to was your home, for example, I'll know right where to go to get to you later or get to your data."

One door closes, another opens

After Ars Technica ran its story, Google adjusted its location services so that they could no longer be used for that purpose.

But Seiwert leveraged the third Apple feature to get around that. He discovered that Apple's own Location Services for iOS gave up the physical locations of MAC addresses, collected as part of the crowd-sourcing mapping feature, if it thought the request came from an iOS device rather than from a human being.

"You can send Apple a single MAC address of a Wi-Fi router and they will send back a result set including the GPS coordinates of that MAC address and about 400 others" in the near vicinity, Seiwert told SC Magazine.

Seiwert's iSniff GPS tool automates the collection of data from all three processes. When Seiwert's laptop is connected to an open Wi-Fi access point he himself has set up, iSniff GPS locates all iOS devices within range; collects the MAC addresses of the previous three Wi-Fi access points to which each iOS device had connected; queries Apple Location Services for the physical location of each of logged MAC address; and finally, overlays the location results on Google Maps.

In a few minutes, iSniff GPS will have found and mapped the physical locations of the home wireless routers of the owners of most of the iOS devices within Wi-Fi range of the user's laptop.

While attending the BlackHat security conference in Las Vegas in July 2012, Seiwert used iSniff GPS to harvest 3,543 MAC addresses from 1,337 iOS devices. He gave a brief presentation on his findings at the Chaos Communication Congress security conference in Hamburg, Germany, in December 2012.

Seiwert has now posted iSniff GPS to the online open-source code repository GitHub.